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CLAIMS 

What is claimed is: 

1 . A method for providing a first service and a second service to a user via a 
client being coupled to a data communication network, said first service being provided 
by a first network server also being coupled to the data communication network, said 
second service being provided by a second network server also being coupled to the 
data communication network, said method comprising: 

receiving a first request from the first network server to provide the first service to 
the user; 

storing first data on the client in response to the received first request, said first 
data identifying the first service; 

receiving a second request from the second network server to provide the 
second service to the user; 

allowing the user access to the second service in response to the received 
second request; and 

wherein, in response to allowing the user access to the second service, the user 
is allowed access to the first service as a result of the stored first data. 

2. The method of claim 1 , wherein the first service and the second service are in 
different domains. 
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3. The method of claim 1, wherein the stored first data indicates a policy group 
associated with the first service, and further comprising allowing, in response to allowing 
the user access to the second service, the user access to the first service if the second 
service is associated with the policy group indicated by the stored first data. 

4. The method of claim 3. wherein members of the policy group share a set of 
business rules, said set of business rules comprising a privacy policy. 

5. The method of claim 1, wherein said first request indicates a desire of the first 
network server to provide the first service to the user, and wherein said receiving the first request 
comprises receiving the first request fi"om a first network server via an image tag. 

6. The method of claim 1 , further comprising storing second data on the client in 
response to the received first request, said second data being issued by the first 
network server to indicate that the first network server has requested to provide the first 
service to the user. 

7. The method of claim 6, wherein the first data and the second data are 
implemented as cookies stored on the client. 

8. The method of claim 6, wherein on a subsequent visit to the first network 
server by the user, the first network server is adapted not to request to provide the first 
service to the user if the second data is stored on the client. 
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9. The method of claim 6. wherein the stored first data indicates a policy group 
associated with the first service, and further comprising deleting the second data from 
the client in response to allowing the user access to the second service if the second 
service is associated with the policy group indicated by the stored first data. 

10. The method of claim 9, wherein said deleting comprises rendering a web 
page to the client, said web page including an image tag directing the client to a script of 
the second service, said script adapted to delete the second data from the client. 

1 1 . The method of claim 10, wherein said allowing the user access to the 
second service comprises authenticating the user for access to the second service. 

12. The method of claim 1 1 , further comprising generating an authentication 
ticket and communicating the generated authentication ticket to the second network 
server after the user has been authenticated. 

13. The method of claim 12, further comprising: 

communicating the generated authentication ticket to the first network server in 
response to deleting the second data from the client; and 

wherein the user is authenticated for access to the first service as a result of the 
generated authentication ticket being communicated to the first network server. 
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14. The method of claim 1 , wherein one or more computer-readable media have 
computer-executable instructions for performing the method recited in claim 1 . 

15. A method for providing a first service and a second service to a user via a 
client being coupled to a data communication network, said first service being provided 
by a first network server also being coupled to the data communication network, said 
second service being provided by a second network server also being coupled to the 
data communication network, said method comprising: 

receiving a first request from the first network server to provide the first service to 
the user; 

allowing the user access to the first service in response to the received first 
request; 

storing first data on the client in response to allowing the user access to the first 
service, said first data identifying a first policy group associated with the first service; 

receiving a second request from the second network server to provide the 
second service to the user; 

if the second service is associated with the first policy group identified by the 
stored first data, allowing the user access to the second service in response to the 
received second request; and 

if the second service is not associated with the first policy group identified by the 
stored first data, updating the stored first data to identify the second service. 
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16. The method of claim 15, wherein said second request indicates a desire of 
the second network server to provide the second service to the user, and wherein said 
receiving the second request comprises receiving the second request from the second 
networl^ server via an image tag. 

17. The method of claim 15 further comprising providing user information 
associated with the user to the second service if the second service is associated with 
the first policy group identified by the stored first data. 

18. The method of claim 15 further comprising: 

storing second data on the client if the second service is not associated with the 
first policy group identified by the stored first data, said second data being issued by the 
second network server to indicate that the second network server has requested to 
provide the second service to the user; and 

wherein on a subsequent visit to the second network server by the user, the 
second network server is adapted not to request to provide the second service to the 
user if the second data is stored on the client. 

19. The method of claim 15, wherein the updated first data further identifies a 
second policy group associated with the second service. 



20. The method of claim 19, further comprising: 
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receiving a third request from a third network server to provide a third service to 
the user, said third network server also being coupled to the data communication 
network; 

authenticating the user for access to the third service in response to the received 
third request; 

allowing the user access to the third service if the user has been authenticated; 

and 

wherein, in response to allowing the user access to the third service, the user is 
allowed access to the second service on a subsequent visit to the second network 
server if the third service is associated with the second policy group identified by the 
updated first data. 

21 . The method of claim 15, wherein one or more computer-readable media 
have computer-executable instructions for performing the method recited in claim 1 5. 

22. A system for providing services to a user, said system comprising: 

a first network server coupled to a data communication network, said first 
network server being configured to provide a first service to a user via a client also 
coupled to the data communication network; 

a second network server coupled to the data communication network, said 
second network server being configured to provide a second service to the user via the 
client; 
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a central server coupled to the data communication network, said central server 
being configured to receive a first request from the first network server to provide the 
first service to the user and a second request from the second network server to provide 
the second service to the user; 

said first network server being configured to direct the first request to the central 
server, said central server further being configured to generate and store first data on 
the client in response to receiving the first request, said first data identifying the first 
service; 

said second network server being configured to direct the second request to the 
central server; 

wherein, in response to the received second request, the central server is 
configured to allow the user access to the second service; and 

wherein, in response to allowing the user access to the second service, the 
central server is configured to allow the user access to the first service as a result of the 
stored first data. 

23. The system of claim 22, wherein the first network server and the second 
network server are configured to communicate the first request and the second request 
to the central server via an image tag, and wherein the first request indicates a desire of 
the first network server to provide the first service to the user. 

24. The system of claim 22, further comprising: 
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a database associated with the central server, said database being configured to 
store information identifying a policy group associated with the second service; 

wherein the stored first data further indicates a policy group associated with the 
first service; and 

wherein, in response to allowing the user access to the second service, the 
central server is configured to allow the user access to the first service if the policy 
group identified by the stored information is the same as the policy group indicated by 
the stored first data. 

25. The system of claim 24, wherein members of the policy group identified by 
the stored information share a set of business rules, said set of business rules 
comprising a privacy policy, and wherein the central server is configured to provide an 
authentication service that regulates the set of business rules. 

26. The system of claim 22, wherein the first network server is being configured 
to generate and store second data on the client in response to directing the first request 
to the central server, said second data indicating that the first network sen/er has 
requested to provide the first service to the user, and wherein on a subsequent visit to 
the first network server by the user, the first network server is configured not to direct a 
request to the central server to provide the first service to the user if the second data is 
stored on the client. 



27. The system of claim 26, further comprising: 
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a database associated with the central server, said database being configured to 
store information identifying a policy group associated with the second service; 

wherein the stored first data further indicates the policy group associated with the 
first service; and 

wherein, in response to allowing the user access to the second service, if the 
policy group identified by the stored information is the same as the policy group 
indicated by the stored first data, the central server is configured to render a web page 
to the client, said web page including an image tag directing to a script of the second 
service, said script adapted to delete the second data from the client. 

28. The system of claim 27, wherein said allowing the user access to the second 
service comprises authenticating the user by the central server for access to the second 
service. 

29. The system of claim 28, wherein the central server is configured to generate 
an authentication ticket and to communicate the generated authentication ticket to the 
second network server after the user has been authenticated by the central server, 
wherein the central server is further configured to communicate the generated 
authentication ticket to the first network server in response to deleting the second data 
from the client, and wherein the user is authenticated for access to the first service as a 
result of the generated authentication ticket being communicated to the first network 
server. 



EL 998651 820 US 64 MS#304543.01 (MSFT 51 01 ) 

PATENT 

30. A system for providing services to a user, said system comprising: 
a first network server coupled to a data communication network, said first 

network sen/er being configured to provide a first service to a user via a client also 

coupled to the data communication network; 

a second network server coupled to the data communication network, said 

second network server being configured to provide a second service to the user via the 

client; 

a centra! ser.'er coupled to the data Gommunication network, said central server 
being configured to receive a first request from the first network server to provide the 
first service to the user and a second request from the second network server to provide 
the second service to the user; 

a database associated with the central server, said database being configured to 
store information identifying a first policy group associated with the first service and a 
second policy group associated with the second sen/ice; 

wherein, in response to the received first request, the central server is configured 
to allow the user access to the first service and to generate and store first data on the 
client based on the stored information, said first data identifying the first policy group 
associated with the first service; 

wherein if the second policy group identified by the stored information is the 
same as the first policy group identified by the stored first data, the central server is 
configured to allow the user access to the second service in response to the received 
second request; and 
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wherein if the second policy group identified by the stored information is not the 
same as the first policy group Identified by the stored first data, the central server is 
configured to update the stored first data to identify the second service in response to 
the received second request. 

31 . The system of claim 30, wherein the central server is further being 
configured to provide user Information associated with the user to the second service if 
the second policy group Identified by the stored information is the same as the first 
policy group identified by the stored first data. 

32. The system of claim 30, 

wherein the second network server is being configured to generate and store 
second data on the client if the second policy group identified by the stored information 
is not the same as the first policy group identified by the stored first data, said second 
data indicating that the second network server has communicated the second request to 
the central server, said second request indicating a desire of the second network server 
to provide the second service to the user; and 

wherein on a subsequent visit to the second network server by the user, the 
second network server is configured not to direct a request to the central server to 
provide the second service to the user if the second data is stored on the client. 

33. The system of claim 30, wherein the updated first data further identifies the 
second policy group associated with the second service. 
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34. The system of claim 33, further comprising: 

a third network server coupled to the data communication network, said third 
network server being configured to provide a third service to the user via the client; 

said central server being further configured to receive a third request from the 
third network server to provide the third service to the user and to authenticate the user 
for access to the third service in response to the received third request; 

wherein the stored information further identifies a third policy group associated 
with the third service; and 

wherein the central server is configured to allow the user access to the second 
service on a subsequent visit to the second network server if the user has been 
authenticated and if the third policy group identified by the stored information is the 
same as the second policy group identified by the updated first data. 

35. One or more computer-readable media having computer-executable 
components for providing a first service and a second service to a user via a client 
being coupled to a data communication network, said first service being provided by a 
first network server also being coupled to the data communication network, said second 
service being provided by a second network server also being coupled to the data 
communication network, said computer-readable media comprising: 

a redirect component for receiving a first request from the first network server to 
provide the first service to the user and for receiving a second request from the second 
network server to provide the second service to the user; 
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a response component for storing first data on the client in response to the 
received first request, said first data identifying the first service; 

an authentication component for allowing the user access to the second service 
in response to the received second request; and 

wherein, in response to allowing the user access to the second service, the 
authentication component is adapted to allow the user access to the first service as a 
result of the stored first data. 

36. The computer-readable media of claim 35, further comprising a storage 
component for storing information identifying a policy group associated with the second 
service, wherein the stored first data indicates a policy group associated with the first 
service, and wherein, in response to allowing the user access to the second service, the 
authentication component is adapted to allow the user access to the first service if the 
policy group identified by the stored information is the same as the policy group 
indicated by the stored first data. 

37. The computer-readable media of claim 35, wherein the first request indicates 
a desire of the first network server to provide the first service to the user, wherein the 
response component is adapted to store second data on the client in response to the 
received first request, said second data indicating that the first network server has 
requested to provide the first service to the user, and wherein on a subsequent visit to 
the first network server by the user, the first network server is adapted not to request to 
provide the first service to the user if the second data is stored on the client. 
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38. The computer-readable media of claim 37, further comprising: 

a storage component for storing information identifying a policy group associated 
with the second service; 

wherein the stored first data indicates a policy group associated with the first 
service; and 

wherein, in response to allowing the user access to the second service, if the 
policy group identified by the stored information is the same as- the policy group 
indicated by the stored first data, the response component is adapted to render a web 
page to the client, said web page including an image tag directing to a script of the 
second service, said script adapted to delete the second data from the client. 

39. The computer-readable media of claim 38, wherein the authentication 
component is adapted to authenticate the user before allowing the user access to the 
second service. 

40. The computer-readable media of claim 39, wherein the authentication component is 
adapted to generate an authentication ticket and to communicate the generated authentication 
ticket to the second network server after the user has been authenticated, wherein the 
authentication component is further adapted to communicate the generated authentication ticket 
to the first network server in response to deleting the second data from the client, and wherein 
the user is authenticated for access to the first service as a result of the generated authentication 
ticket being communicated to the first network server. 



